securekomodo:~#

hacker of things

Hacking and Penetration Testing

Certified Ethical Hacker (CEH)

It is time to get back to the basics of hacking. It’s tough to be a in a security position and admit that you don’t know EVERYTHING about security and penetration testing. The sooner this notion is accepted, the sooner new concepts can be learned, and old concepts can be further stored into long-term memory. Most of what will be described in this post is simply review since technically this should already be known prior to starting a CEH training program, but I know I can gain a better understanding and strengthen core concepts by touching on a few important topics. This post will provide definitions associated with ethical hacking and security policies, as well as provide a clear explanation about introductory networking, hacking phases, and stages of a penetration test. That being said, let’s start with the ever famous OSI Model. This is something that is taught to all undergraduates in any basic networking or security course. Many have memorized the names to the layers and their order, but do not understand why or how they work. Lets review…

The OSI model

In order for two computers to communicate with each other, there must be some interface which will send/receive “bits“, this is your Network Interface Controller “NIC”. This is where Layer 1 comes into play. Layer 1 (Physical) is the physical media required to send/receive the binary (ones and zeros) transmissions between hosts. Now what happens when a new host(s) is added to your network? How will you know who to send binary information to, or where it is coming from? This is where Layer 2 comes into play.

Layer 2 (Data Link) will use a physical addressing scheme to identify hosts within a network. Using whats known as “Frames“, it will include addressing for the intended sender/recipient within a network. I like to think of this as a street address on a mailing envelope. But what if this data needs to be sent to another network outside of yours? The mailing envelope at some point will need to leave your neighborhood, state, or even your country! And it is not feasible to think that every computer can know the physical address of all computers in the world…

Well Layer 3 (Network) provides another method of addressing using “Packets“. Packets contain logical addressing and routing information (source and destination IP Addresses) about the neighborhood its intended for. Think of this like the ZIP code on our envelope example.

Layer 4 (Transport) contains information about how data will be sent. Remember the last 4 letters of the word transPORT since this is the layer is where port assignments take place. Using whats known as “Segments“, layer 4 will provide the protocols defining the way information will be sent between the source and destination hosts. The most common transport protocols would be TCP and UDP. Where TCP guarantees delivery, and UDP is more of a “fire-and-forget” methodology. I like to think of this layer as the type of mail service you want for your envelope. Do you want ground shipping with signature upon delivery? Maybe you want next-day air with no confirmation?? The next layer was the most difficult for me to comprehend and can be the most confusing.

Layer 5 (Session) is more of a theoretical layer put in place to handle (you guessed it), sessions. Its only job is to open, close, and manage connections “sockets” between one or more hosts. It is required to have an active session to deliver data. Some sessions can remain open for long durations and multiple deliveries of data, where others may only be open for a single transmission. If you open a command prompt and type “netstat” you will see a list of all connections and their statuses from your computer.

Layer 6 (Presentation) is responsible for molding the data into a format that applications can understand. Since not every computer contains the same applications, there has to be standards to ensure successful delivery and interpretation of the data. Some examples of these standard formats could be ASCII, JPEG, GIF..etc. I like to think of layer 6 as the translator to the application layer.

Lastly there is Layer 7 (Application) and could be considered the “closest” layer to the user. This is the software which is required to view the data into a human-readable format. Applications such as an internet browser will use protocols like HTTP or HTTPS to view web pages, and FTP will allow users to transport files across networks.

In the last three layers of the OSI model, the protocol data unit is referred to as “data“. Take a look at this sweet figure I made below which nicely displays the OSI model, the TCP/IP model, and their associated ports and services.

So remember that frames contain packets, packets contain segments, and segments contain data. Lets take a look at some common definitions that will be good for a few easy answers on the exam.

A criminal hacker “cracker” who is using their skills for malicious intent

Gray Hat

Curious hackers who are neither good or bad, but demonstrate flaws in information systems with or without consent

Information Security Policy

Clearly identifies the rules and regulations for an organizations computer assets along with the punishment for non-compliance. Also referred to as an “Acceptable Use Policy”, employees normally sign off to acknowledge their understanding.

Information Protection Policy

Defines the sensitivity levels of data and who has access to those levels. In addition it will define how information is stored, transmitted, and purged.

Information Audit Policy

Defines the rules and guidelines for auditing security within an organization.

Operating System (OS) Attack

This is an attack that takes advantage of a vulnerable operating system installed on a computer.

Application Level Attack

This attacks the vulnerable programming code of a given application.

Shrink Wrap Code Attack

Takes place when an attack is based around a script or code provided by “off-the-shelf” software.

Misconfiguration Attack

Exploit takes place on systems that have intentionally or unintentionally not been properly configured

The CEH exam does not focus on too many definition questions, but I guess they are still found. So memorizing some terms and common attacks could surely be some easy points when test day comes.

Last but not least I want to talk about the 5 hacking stages and the 3 steps of a penetration test. All sources agree that there will be many questions referencing the various stages so I will just list them out here.

Stage 1 – Reconnaissance

Stage 2 – Scanning and Enumeration

Stage 2.5 —– Privilege Escalation

Stage 3 – Gaining Access

Stage 4 – Maintaining Access

Stage 5 – Covering Tracks

During Reconnaissance, an ethical hacker will be gathering information (passively or actively) about a given target. This could mean parking outside an office and observing the habits of employees as they arrive to work. Or it could be looking up domain information and declared network ranges or network sniffing. During the Scanning and Enumeration phase, an ethical hacker will use tools and techniques to get in-depth knowledge about the target. This could mean scanning to identify the types of computers on the network and which are vulnerable to attack. Or even just checking to see if a port is open on a given host. Next that leads us into the most fun stage, Gaining Access. This is where a vulnerable system is exploited and security controls are circumvented in order to gain access to a host. Or it could be as simple as connecting to an open WI-fi and poking around its configurations. After access is achieved, you are going to want to keep it. The next step called Maintaining Access is where backdoors are put in place to ensure there is a way to connect back to the exploited host, even if it is rebooted. This is also referred to as persistence. And last but not least is Covering Tracks. After you just did all that work it would be a shame to have a forensics expert derail your whole pentest because of some logs! So this is where you take extra measures to not leave a trace behind while you do your business on the system.

Now there are only 3 stages of a penetration test, and be sure not to confuse this with the 5 hacking stages.

Stage 1 – Preparation

This is where the contract is signed, outlining the framework of the penetration test. This is really what sets the ethical apart from the unethical

Stage 2 – Assessment

During the Assessment phase, the actual penetration test is underway and the ethical hacker will use the 5 hacking stages to conduct his/her assessment.

Stage 3 – Conclusion

Lastly the conclusion will report all the findings of the assessment and often times even providing recommendations on how to fix.

That was really it for the first module, you can see most of it is review and not fun material. The rest of my posts will be focusing on phase 3 of the hacking phases which is gaining access. They will go into detail about the various tools and techniques used to perform all types of attacks so stay tuned for more content!